On May 29, 2013, a bill, accompanied by an explanatory memorandum, was proposed in the Australian Parliament that requires businesses and government agencies that experience a serious data breach to notify affected individuals and the Office of the Australian Information Commissioner (“OAIC”). The proposed legislation requires organizations to notify individuals only when they are “significantly affected” by a “serious” data breach. Breaches that merely pose a “remote risk” of harm would not require notification. The factors organizations should assess when determining whether a breach is “serious” include: (1) harm to a person’s reputation, (2) economic harm, (3) financial harm, and (4) physical and psychological harm. Additionally, the bill specifies that implementing regulations may identify other situations that would require notification even if the breach does not give rise to a risk of serious harm. Organizations should notify affected individuals through the normal method of communication they have previously used to communicate with those individuals. Absent a normal method of prior communication, organizations must take reasonable steps to notify the affected individuals via email, telephone or postal mail. If passed, the legislation would become effective in March 2014.
Timothy Pilgrim, Australia’s Privacy Commissioner, noted that the number of data breach notifications received by the OAIC declined nearly 20 percent from the 2010-2011 financial year to the 2011-2012 financial year. Because research indicated that the aggregate number of data breaches has been increasing in Australia, Commissioner Pilgrim was concerned that the OAIC was only being notified in a small percentage of actual breaches. Currently, data breach notification in Australia is voluntary except in limited circumstances under eHealth laws.